Intro

Security Champions Playbook is a project started in preparation for the presentation "Security Champions 2.0" at OWASP Bucharest AppSec Conference 2017. It describes the main steps for fast establishment of a Security Champions program regardless of the company size and maturity of the existing security processes.

Who are the Security Champions?

According to OWASP definition, Security Champions are "active members of a team that may help to make decisions about when to engage the Security Team". They act as a core element of security assurance process within the product or service, and hold the role of the Single Point of Contact (SPOC) within the team.

More information about the Champions: https://www.owasp.org/index.php/Security_Champions

What benefits do Champions bring to my company?

Main advantages of having a team of Security Champions:

  • Scaling security through multiple teams
  • Engaging "non-security" folks
  • Establishing the security culture

Security Champions Playbook

To keep it simple, I've listed six easy-to-follow steps with clarifications for each step. Chapters include general recommendations, links to known good sources as well as personal experience. I will be happy to hear your feedback and update the playbook. Current version:

1. Identify teams

2. Define the role

3. Nominate Champions

4. Set up communication channels

5. Build solid knowledge base

6. Maintain interest


Simplified diagram

alt text